fix(web): ship findings compare baseline availability

2026-03-08 15:13:32 +02:00
parent 30532800ec
commit 6be4a25d17
7 changed files with 291 additions and 10 deletions
--- a/src/Web/StellaOps.Web/tests/e2e/findings-compare-baseline-availability.spec.ts
+++ b/src/Web/StellaOps.Web/tests/e2e/findings-compare-baseline-availability.spec.ts
@@ -0,0 +1,220 @@
+import { expect, test, type Page, type Route } from '@playwright/test';
+
+import type { StubAuthSession } from '../../src/app/testing/auth-fixtures';
+
+const analystSession: StubAuthSession = {
+  subjectId: 'findings-compare-e2e-user',
+  tenant: 'demo-prod',
+  scopes: [
+    'admin',
+    'ui.read',
+    'findings:read',
+    'release:read',
+    'policy:read',
+    'vex:read',
+  ],
+};
+
+const mockConfig = {
+  authority: {
+    issuer: '/authority',
+    clientId: 'stella-ops-ui',
+    authorizeEndpoint: '/authority/connect/authorize',
+    tokenEndpoint: '/authority/connect/token',
+    logoutEndpoint: '/authority/connect/logout',
+    redirectUri: 'https://127.0.0.1:4400/auth/callback',
+    postLogoutRedirectUri: 'https://127.0.0.1:4400/',
+    scope: 'openid profile email ui.read',
+    audience: '/gateway',
+    dpopAlgorithms: ['ES256'],
+    refreshLeewaySeconds: 60,
+  },
+  apiBaseUrls: {
+    authority: '/authority',
+    scanner: '/scanner',
+    policy: '/policy',
+    concelier: '/concelier',
+    attestor: '/attestor',
+    gateway: '/gateway',
+  },
+  quickstartMode: true,
+  setup: 'complete',
+};
+
+const findingsResponse = {
+  items: [
+    {
+      findingId: 'finding-001',
+      cveId: 'CVE-2026-8001',
+      severity: 'critical',
+      packageName: 'backend-api',
+      componentName: '2.5.0',
+      releaseId: 'rel-001',
+      releaseName: 'Payments API',
+      environment: 'stage',
+      region: 'us-east',
+      reachable: true,
+      reachabilityScore: 9.4,
+      effectiveDisposition: 'affected',
+      vexStatus: 'affected',
+      updatedAt: '2026-03-08T10:10:00Z',
+    },
+  ],
+};
+
+async function fulfillJson(route: Route, body: unknown, status = 200): Promise<void> {
+  await route.fulfill({
+    status,
+    contentType: 'application/json',
+    body: JSON.stringify(body),
+  });
+}
+
+async function setupHarness(page: Page): Promise<{ baselineCalls: () => number; deltaCalls: () => number }> {
+  let baselineCallCount = 0;
+  let deltaCallCount = 0;
+
+  await page.addInitScript((session) => {
+    (window as { __stellaopsTestSession?: unknown }).__stellaopsTestSession = session;
+  }, analystSession);
+
+  await page.route('**/api/**', (route) => fulfillJson(route, {}));
+  await page.route('**/platform/envsettings.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/platform/i18n/*.json', (route) => fulfillJson(route, {}));
+  await page.route('**/config.json', (route) => fulfillJson(route, mockConfig));
+  await page.route('**/.well-known/openid-configuration', (route) =>
+    fulfillJson(route, {
+      issuer: 'https://127.0.0.1:4400/authority',
+      authorization_endpoint: 'https://127.0.0.1:4400/authority/connect/authorize',
+      token_endpoint: 'https://127.0.0.1:4400/authority/connect/token',
+      jwks_uri: 'https://127.0.0.1:4400/authority/.well-known/jwks.json',
+      response_types_supported: ['code'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['RS256'],
+    }),
+  );
+  await page.route('**/authority/.well-known/jwks.json', (route) => fulfillJson(route, { keys: [] }));
+  await page.route('**/console/branding**', (route) =>
+    fulfillJson(route, {
+      tenantId: analystSession.tenant,
+      appName: 'Stella Ops',
+      logoUrl: null,
+      cssVariables: {},
+    }),
+  );
+  await page.route('**/console/profile**', (route) =>
+    fulfillJson(route, {
+      subjectId: analystSession.subjectId,
+      username: 'findings-compare-e2e',
+      displayName: 'Findings Compare E2E',
+      tenant: analystSession.tenant,
+      roles: ['security-analyst'],
+      scopes: analystSession.scopes,
+    }),
+  );
+  await page.route('**/console/token/introspect**', (route) =>
+    fulfillJson(route, {
+      active: true,
+      tenant: analystSession.tenant,
+      subject: analystSession.subjectId,
+      scopes: analystSession.scopes,
+    }),
+  );
+  await page.route('**/authority/console/tenants**', (route) =>
+    fulfillJson(route, {
+      tenants: [
+        {
+          tenantId: analystSession.tenant,
+          displayName: 'Demo Prod',
+          isDefault: true,
+          isActive: true,
+        },
+      ],
+    }),
+  );
+  await page.route('**/api/v2/context/regions**', (route) =>
+    fulfillJson(route, [{ regionId: 'us-east', displayName: 'US East', sortOrder: 1, enabled: true }]),
+  );
+  await page.route('**/api/v2/context/environments**', (route) =>
+    fulfillJson(route, [
+      {
+        environmentId: 'stage',
+        regionId: 'us-east',
+        environmentType: 'stage',
+        displayName: 'Stage',
+        sortOrder: 1,
+        enabled: true,
+      },
+    ]),
+  );
+  await page.route('**/api/v2/context/preferences**', (route) =>
+    fulfillJson(route, {
+      tenantId: analystSession.tenant,
+      actorId: analystSession.subjectId,
+      regions: ['us-east'],
+      environments: ['stage'],
+      timeWindow: '24h',
+      stage: 'all',
+      updatedAt: '2026-03-08T10:00:00Z',
+      updatedBy: analystSession.subjectId,
+    }),
+  );
+  await page.route(/\/api\/compare\/baselines\/active-scan(?:\?.*)?$/, async (route) => {
+    baselineCallCount += 1;
+    await fulfillJson(route, {
+      selectedDigest: null,
+      selectionReason: 'No baseline recommendations available for this scan',
+      alternatives: [],
+      autoSelectEnabled: true,
+      scanDigest: 'active-scan',
+    });
+  });
+  await page.route(/\/api\/compare\/delta(?:\?.*)?$/, async (route) => {
+    deltaCallCount += 1;
+    await fulfillJson(route, { categories: [], items: [] });
+  });
+  await page.route(/\/api\/compare\/evidence\/.*$/, async (route) => {
+    deltaCallCount += 1;
+    await fulfillJson(route, []);
+  });
+  await page.route(/\/api\/v2\/security\/findings(?:\?.*)?$/, (route) =>
+    fulfillJson(route, findingsResponse),
+  );
+
+  return {
+    baselineCalls: () => baselineCallCount,
+    deltaCalls: () => deltaCallCount,
+  };
+}
+
+test('security findings diff view shows truthful no-baseline state for the active scan', async ({ page }) => {
+  const calls = await setupHarness(page);
+
+  await page.goto('/security/findings?tenant=demo-prod&regions=us-east&environments=stage&timeWindow=7d', {
+    waitUntil: 'networkidle',
+  });
+
+  await expect(page.getByText('Comparing:')).toBeVisible();
+  await expect(page.getByText('Active scan')).toBeVisible();
+  await expect(page.getByText('No baselines available')).toBeVisible();
+  await expect(page.getByText('No baseline recommendations available for this scan')).toBeVisible();
+  await expect(page.getByText('Comparison evidence becomes available after a baseline is selected.')).toBeVisible();
+  await expect(page.getByRole('button', { name: 'Export' })).toBeDisabled();
+  await expect(page.getByText('No immediate actions required')).toBeVisible();
+  expect(calls.baselineCalls()).toBeGreaterThan(0);
+  expect(calls.deltaCalls()).toBe(0);
+});
+
+test('security findings detail view keeps live findings and hides the stale audit export action', async ({ page }) => {
+  await setupHarness(page);
+
+  await page.goto('/security/findings?tenant=demo-prod&regions=us-east&environments=stage&timeWindow=7d&view=detail', {
+    waitUntil: 'networkidle',
+  });
+
+  await expect(page.getByText('finding-001')).toBeVisible();
+  await expect(page.getByText('backend-api')).toBeVisible();
+  await expect(page.getByText('2.5.0')).toBeVisible();
+  await expect(page.getByText('Comparing:')).toHaveCount(0);
+  await expect(page.getByText('Export Audit Pack')).toHaveCount(0);
+});